How can I record and maybe monitor all DNS requests and replies?



  • When I was setting up my pfSense 2.1 I was logging the traffic and I noticed that in the console if I chose option 10) Filter Logs I could see the DNS requests going out to Google's DNS server, in addition to the actual src dest I could see the hostname or reverse IP requested. I have since disabled logging pass packets.

    My question is how can I access DNS request information in the web interface, is there any way I record for diagnostic purposes all requested info (hostnames) and replies if possible, sent over the LAN interface? I'm looking to view them in a prettier format so I can easily see what hostnames were resolved, what reverse IP, etc.

    Thanks


  • LAYER 8 Global Moderator



  • @johnpoz:

    Its not in the web, but you could always run dnstop on pfsense.

    Thanks. I don't have pkg-add but I have pkg_add, so I tried that. Since I have amd64 I just tried without the URL but it fails:

    $ pkg_add -r dnstop.tbz
    pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/dnstop.tbz' by URL
    Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/dnstop.tbz: Syntax error, command unrecognized
    

    The URL exists and my internet connection is up so I don't know why that happens. Can someone running 8.3 try that command and see what happens?

    I'm looking for a way to record all DNS queries to a file if I can but it doesn't look like dnstop will let me write all queries to a file unless I'm reading raw queries from a file (but maybe I don't understand).


  • LAYER 8 Global Moderator

    I clearly show pkg_add in what I typed, so not sure why you would see pkg-add

    Shows you have a syntax error? unknown command do you have a issue with ftp on your install of pfsense?

    Why don't you just download the package directly from the correct location?

    http://ftp-archive.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/dnstop-20110502.tbz

    edit: then add it from there

    wget http://ftp-archive.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/dnstop-20110502.tbz
    –2014-04-21 05:51:09--  http://ftp-archive.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/dnstop-20110502.tbz
    Resolving ftp-archive.freebsd.org (ftp-archive.freebsd.org)... 128.205.32.24
    Connecting to ftp-archive.freebsd.org (ftp-archive.freebsd.org)|128.205.32.24|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 22846 (22K) [application/x-bzip-compressed-tar]
    Saving to: `dnstop-20110502.tbz'

    100%[=========================================================================================>] 22,846      –.-K/s  in 0.1s

    2014-04-21 05:51:09 (219 KB/s) - `dnstop-20110502.tbz' saved [22846/22846]



  • @johnpoz:

    I clearly show pkg_add in what I typed, so not sure why you would see pkg-add

    Shows you have a syntax error? unknown command do you have a issue with ftp on your install of pfsense?

    I'm not sure why I saw pkg-add, I guess I copied it wrong. I downloaded that file and then uploaded it through the web interface to /tmp. Then on the console I switched to /tmp and ran pkg_add dnstop-20110502.tbz. That installed it to /usr/local/bin which isn't in my path. I was able to start it this way:

    /usr/local/bin/dnstop -l 9 ovpnc1
    

    ovpnc1 is my OpenVPN interface. After starting I switched to level 9 (the highest level) by pressing the 9 key. Now I can see the domain names that are requested. This is good and I appreciate the help but I'd really like to be able to log all requests and replies to a file, so if anyone figures out how to do that please let me know.

    If I create a special rule in the firewall to log all traffic to TCP/UDP 53 then that will show the names requested as well, and I guess I can parse the hosts from that. But is there a way for that logging to be separate from the other logging? In other words can I have a special log for a single rule?



  • You can't have a completely separate log, but you can easily just grep for the rule number, as it should be the same every time.

    Edit: or just grep for a DNS query in general. I'm able to watch DNS queries live with:

    tail -f /var/log/pfsense.log | grep -E "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.53"


  • Rebel Alliance Developer Netgate

    Make them use the DNS Forwarder, then go to System > DNS Forwarder, add "log-queries" to the advanced options, and then monitor the resolver log.



  • Thanks for the ideas guys, I'll give them a try. I don't have a /var/log/pfsense.log though.



  • Sorry, that's my remote syslog path. In the default install it'd be clog /var/log/system.log



  • Does dnstop provides the information of the ip address and macid of the client from where the dns requests are generated?


  • LAYER 8 Global Moderator

    it gives you the IP if you want it..  mac address would only be useful if the dns was on same Layer 2 as the requestor..



  • That works great. Because I can use the DHCP logs stored in a remote host. I can get the macid which uses the IP address from that. Can you please help me with storing the dnstop logs in a remote host too?


  • LAYER 8 Global Moderator

    dns top doesn't really log..  you can load in a tcpdump "savefile".

    http://linux.die.net/man/8/dnstop
    dnstop is a small tool to listen on device or to parse the file savefile and collect and print statistics on the local network's DNS traffic. You must have read access to /dev/bpf*.
    dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval] [device] [savefile]

    So you could log traffic on 53 tcp/udp with say tcpdump and then to via what was queried you could have dnstop parse the dump.. You could do a tcpdump in a loop to have lots of different files for say each day, etc..

    dnstop is great for keep an active eye on what is being queried and from who and what is most queried, etc..  But not really a good choice for archival of dns queries.  Your best bet in that case would be to have dnsmasq log and send that to syslog, or have bind log and would send that to syslog as well so you could have them on different machine.


Log in to reply